[ar:Anthony Rose & Ben Ramsey]
[al:Def Con 24 Hacking Conference]
[ti:Picking Bluetooth Low Energy Locks from a Quarter Mile Away]
[au:Anthony Rose & Ben Ramsey]
[by: DEF CON Communications (https://www.defcon.org)]
[00:00:00.23]
>>Alright let's get started, so
I am Anthony Rose. Nice to meet
everyone. So this is actually my
[00:00:05.93]
first talk at Defcon [Applause]
Its also my first time at
defcon, so this is really
[00:00:10.93]
[00:00:18.03]
exciting. So if you made it
here, I am giving a talk on
bluetooth low energy, if you are
[00:00:23.03]
[00:00:26.57]
not interested this is your last
chance to leave, otherwise you
are stuck here. So my talk is
[00:00:33.43]
picking bluetooth talks from a
mile away, or smart locks made
by dumb people. So what I found
[00:00:38.43]
[00:00:42.40]
is a lot of manufacturers
decided to make user convenience
over security. So my job was to
[00:00:47.40]
[00:00:49.93]
take advantage of that. So I
want to steal your passwords and
get into your house.So lets get
[00:00:54.93]
[00:00:57.10]
started. So um I'm Anthony Rose
I am part of a hacking group
that we call merculite. You
[00:01:03.40]
might have seen couple other
talks around here, like some
instion stuff that's happening
[00:01:08.97]
later today. Refrigerators,
smart refrigerators, and then
another bluetooth talk. I am the
[00:01:14.43]
lock picking hobbyist. By no
stretch of the imagination an
expert. But definitely a
[00:01:19.40]
hobbyist. My background is
actually electrical engineering.
You will notice that when you
[00:01:21.40]
look at my code. Because um I
don't code very well, when you
think why the hell did he code
[00:01:26.40]
[00:01:30.67]
it this way, yeah its because
I'm not good at coding. I'm
sorry. Hahaha. My background
[00:01:35.67]
[00:01:37.90]
actually, um I did research at
Arizona state. Go Sun Devils. Is
anyone here a Sun Devil. He
[00:01:44.37]
doesn't count cause he is my
brother. [Laughter] My
background is wireless video
[00:01:51.33]
compression, so I did some
wireless stuff prior. But really
mainly my focus is now Bluetooth
[00:01:55.93]
security, low energy bluetooth
security specifically. Ben he
was the other person who was
[00:02:02.83]
supposed to be here, he couldn't
make it. He had his appendix
removed, probably not safe for
[00:02:08.07]
him to travel. His background is
a PHD computer science, he has
done some previous work. You
[00:02:13.07]
[00:02:15.20]
could actually look at some of
his stuff at Shmoocon, derbycon,
and he has a POC GTFO coming
[00:02:20.40]
out, so keep an eye open for
that. Quick overview of what we
are going to talk about, some
[00:02:26.43]
goals that we set out when we
actually wanted to look at
bluetooth. What is bluetooth low
[00:02:31.13]
energy, because not everyone
might actually know what it is.
Uhhh why should you even care
[00:02:36.13]
what I'm talking about. Uh some
exploits that we found. And then
some takeaways for consumer and
[00:02:42.20]
vendors. And then some future
works that we actually wanted to
work on. And then finally open
[00:02:47.30]
up the floor for some questions,
hopefully you don't throw
anything at me So let's get
[00:02:52.43]
started. So our goals, really we
wanted to find vulnerabilities
in bluetooth locks. Uhh and once
[00:02:57.43]
[00:02:59.63]
we started to find
vulnerabilities we figured hey,
we might want to contact vendors
[00:03:03.67]
and let them know their locks
aren't safe. And it turns out
that vendors actually don't
[00:03:09.10]
care. Uhhh we contacted twelve
vendors and only one of them
actually responded. And their
[00:03:15.20]
response was yeah we think it's
a problem, but we aren't going
to fix it. So we figured next we
[00:03:21.50]
might want to release this stuff
to the public so that way at
least consumers know what the
[00:03:25.33]
issues is, so that they can make
the decision if they should buy
this lock or maybe I should try
[00:03:29.63]
and stay away from it. I am also
a big movie buff so if you can
name all those good on you. But
[00:03:36.30]
if you trust newman for your
security you are making a really
bad choice. [Laughter]
[00:03:42.90]
Yeah...and also if you can
actually recognize my t-shirt,
because I am a huge movie buff,
[00:03:47.23]
then I am impressed then. So
uhhh awesome. Oh yeah sorry.
Maybe you should check it out
[00:03:52.23]
[00:03:56.20]
afterwards then. So what is
bluetooth low energy. Originally
it was designed to be a really
[00:04:02.17]
low power protocol and its
design really send the minimal
amount of data. So your looking
[00:04:08.50]
at very small amounts of data,
mostly like state updates os
like passwords, am I open or
[00:04:12.63]
closed for a door, things like
that. It still operates in the
same spectrum as bluetooth
[00:04:17.93]
classic. It's still at 2.4ghz
spectrum that everything uses.
And really the big thing for it
[00:04:24.60]
is really short range, cause the
power consumption is very very
minimal. You are talking about
[00:04:29.27]
like cell battery size. Uhh so
you are looking at really for
short range about 100 meters in
[00:04:35.57]
most cases. Actually when you
talk about these locks, 20 to 30
meters is really where they cap
[00:04:40.53]
out And what we wanted to do is
take advantage of this. So uhh
should you use a USB dongle with
[00:04:46.13]
an antenna hookup, and you
actually get one of those which
has a decent amount of power on
[00:04:50.73]
it, you can actually start
communicating with these devices
at like a quarter, half mile
[00:04:54.97]
distance. So that's actually
what we did, which was pretty
cool. Uhhh I should have changed
[00:04:59.77]
slides there. Uhh one of the
commands we will be sending, is
to be going to this host
[00:05:05.50]
controller interface. And
actually what we send on Linux,
that actually gets interpreted
[00:05:09.30]
to this GAT, the Generic
Attribute Profile, and what this
does it's actually sitting both
[00:05:14.80]
on your lock and your phone, or
whatever you are user device you
are using. This is actually how
[00:05:18.87]
they communicate. Uhh there's
things called attributes on the
server, and we actually send
[00:05:24.53]
read and write requests as the
user, to the server, to actually
learn information or send
[00:05:29.50]
information. So that's how I
send my password to a lock and
that's how the lock responds
[00:05:33.43]
with now I'm open. So all those
attributes are actually sitting
on this GAT server. And now you
[00:05:39.63]
are probably thinking why should
I even care what this guy is
even talking about. Well turns
[00:05:43.37]
out these things are really
popular. The recent estimates
for how many of these devices
[00:05:48.07]
are being built a year, is like
3 billion a year, so there's
tons of tons of bluetooth low
[00:05:52.90]
energy devices. I mean if you
look at your phone it probably
has bluetooth low energy in it,
[00:05:57.33]
so they're everywhere. and they
are being used for security
purposes. So they are being used
[00:06:01.80]
to secure your homes and your
valuables. And there's a wide
range of these devices. There's
[00:06:05.87]
deadbolts, bike sharing programs
use these locks, lockers, guns
cases, ATM locks, yes ATM locks.
[00:06:10.87]
[00:06:13.10]
ATM locks where they actually
lock up the money with a
bluetooth low energy lock,
[00:06:16.97]
surprisingly. And then Airbnb,
does everyone know what airbnb
is? Anybody? Okay. Uhhh so
[00:06:23.70]
surprisingly you can actually
rent houses with this program
and they use smart locks, you
[00:06:27.67]
actually get the code from them
and then you actually open up
the lock and go in there. I had
[00:06:32.30]
a friend who travelled Europe
recently who saw a bunch of
locks we are going to talk
[00:06:35.70]
about, and he was like really
look this, could you break into
them, could you get me a free
[00:06:41.00]
house. And I said, ummm probably
not. So there's a wide range of
companies that actually build
[00:06:45.70]
these products , uhhh a lot of
big companies and a lot of
startups. And what we found that
[00:06:50.37]
a lot of the smaller companies
just didn't have the funding to
actually build security in, at
[00:06:54.50]
least robust security. And
that's something we focused on.
But still even the big
[00:06:58.60]
companies, still had some holes
in a lot of the things they
developed. So to actually hack
[00:07:04.83]
bluetooth what you need is some
uh a sniffer. Im sure everyone
is familiar with the ubertooth.
[00:07:09.30]
Uhh pretty affordable option at
$100, obviously there's some
cheaper options, but this is
[00:07:13.80]
actually what I prefer. You need
something to be able to send
commands after your sniff them,
[00:07:18.03]
so you need a USB dongle of some
sort. You can get a regular USB
dongle for $15. I really like
[00:07:24.60]
the UD100 [inaudible], it's got
and antenna hookup, so you can
hook up a really high gain
[00:07:30.20]
antenna on it. And then you can
really have fun at really long
distances. Uhhh raspberry pi is
[00:07:35.83]
great because it actually runs
all the stuff mobily and when
you actually use that kind of
[00:07:39.93]
platform, you can just set it up
and leave it. Don't need to
worry about somebody stealing
[00:07:44.00]
it. Uhhh a laptop obviously
somebody might walk away with, a
raspberry pi you're only out $40
[00:07:48.77]
bucks, so its not really a big
deal. The high gain antenna that
I use 15db yagi if you are a
[00:07:53.77]
[00:07:56.10]
electrical engineer like me.
That's actually all my stuff
right there. My wife gets really
[00:07:59.80]
upset because it takes a lot of
space, and she gets pretty
pissed so. The ubertooth one,
[00:08:04.80]
[00:08:09.10]
you're all familiar, create by
Michael Osman, couple of years
back. You can look up a lot of
[00:08:12.67]
information on it. But really
the important part of it, it was
really the first bluetooth
[00:08:16.50]
sniffing tool that was really
out. Prior to this a lot of the
other options were really really
[00:08:22.60]
expensive, like $10 000. So this
made it really affordable for
the average user like us. This
[00:08:29.13]
does all passive sniffing, and
it really only has a receive
capability, uhh you can modify
[00:08:34.00]
the firmware to do other things.
But really for low energy it's
really only receiving commands.
[00:08:38.93]
Which is good, because the user
has no idea this is happening.
You can use that with like a USB
[00:08:44.40]
dongle, you can actually go
wardriving with it. So I like
drive around my neighborhood and
[00:08:48.03]
pick out all the things my
neighbors have or I setup my
antenna out my windows, and then
[00:08:52.83]
my neighbors knocked on my door
and they wonder what the hell am
I doing. So you know you can
[00:08:57.33]
drive around, you can pick up
password from far, or actually
pick out networks from people.
[00:09:01.47]
Then you set up a high gain
antenna in the back of your jeep
like I do, park it at McDonalds
[00:09:06.33]
and then I sniff your password
from your house, from maybe a
half mile. And then guess what I
[00:09:10.30]
could get into your house if I
wanted to. Uhhhh and its really
concealable, I mean no one's
[00:09:13.93]
gonna be looking into the back
of my truck at least, at least I
hope not. And its great. Uhh soo
[00:09:20.20]
uhh one of the cool things we
actually thought of: War flying.
So take like a quad copter, hook
[00:09:25.87]
up a raspberry pi to it, fly it
around use the onboard gps to
actually plot where devices are,
[00:09:31.47]
and actually find where they are
and you can actually go back
later. Uhh I haven't really had
[00:09:35.10]
the time to build it, but you
know it's a cool project. Maybe
some could build it and I could
[00:09:39.10]
play around with it. So I did a
recent trip around my
neighborhood. I drove round for
[00:09:42.37]
like an hour, I found a lot of
really cool things. Smart TVs,
smart like uh pressure cookers,
[00:09:48.37]
toasters, fitbits, God knows
what people have. But I actually
found 4 locks that people
[00:09:53.73]
actually had within about 40
minutes. Which is pretty cool
cause cause all 4 of those locks
[00:09:58.43]
I actually know and actually two
of them actually have exploits
for. So uhhh probably should
[00:10:03.03]
have told them, but yeah uhh
whatever. So before I go through
all the lock I broke, I want to
[00:10:08.33]
point out 4 of them I couldn't
actually break, i've had some
ideas of how to actually break
[00:10:13.07]
them, I just haven't had a
chance to do it yet. But but
let's go through the ones I
[00:10:16.50]
could still break. The first one
is the Augus lock. There's some
exploits that I think I could
[00:10:21.10]
use, but haven't had a chance to
use. But about a year ago a
couple of individuals posted on
[00:10:25.67]
their blog about a hard coded
password, actually built into
their application. So this
[00:10:30.13]
password isn't used for much
except settings, but still the
practice of having a hard coded
[00:10:35.23]
password in your applications is
really not a good thing. The
next one is actually really
[00:10:39.43]
surprising. So the quickset lock
actually uhhh, they had a really
interesting design decision.
[00:10:45.57]
They built fantastic bluetooth
security on it, it's really hard
to break. However their lock, at
[00:10:51.53]
least the older versions, you
can actually use a screwdriver
actually to open the lock. So it
[00:10:55.87]
takes about 10 seconds to
actually break the lock open. I
really wanted to try it, but I
[00:11:00.40]
had one of the newer models, and
I really didn't feel like
breaking a $300 lock, because I
[00:11:04.70]
really don't have that much
money. So I didn't break my
lock, but there's youtube videos
[00:11:08.80]
all over the place. Go check
them out, they're pretty cool.
But yeah that's a great design
[00:11:13.17]
decision, on their part right?
Uhh what do they all have in
common? They all use AES
[00:11:18.10]
encryption, they use some sort
of nuance value, a random
number. Then they actually send
[00:11:22.77]
that value and get it encrypted
and then send it back. that's
normally how a lot of these
[00:11:26.17]
locks work. They use all of the
ones that sorta break, had 2
factor authentication, at least
[00:11:30.93]
they aren't using hard coded
password anymore, at least I
hope not. And then they use a
[00:11:34.47]
really long password space, uhhh
16 to 20 characters in most
cases. SOme of the ones I
[00:11:40.10]
actually found use 6 to 8
characters surprisingly, I don't
know why you would ever choose
[00:11:44.60]
that, but that makes brute
forcing very easy. And I
actually put out some tools for
[00:11:48.23]
you guys that actually be able
to brute force things. There's a
wide range of vulnerable
[00:11:53.37]
devices, so before you get
overwhelmed by this slide, I
broke them into categories, uhhh
[00:11:58.53]
to be able to see the
categories, and each category is
a lock. The firmware number in
[00:12:03.30]
case they updated, that way at
least you know which version you
can exploit. And then a symbol
[00:12:08.10]
for it's a padlock or a door
lock. So we are going to go over
plain text passwords, replay
[00:12:13.70]
attacks, actually fuzzing a
device to get it into a error
state. Uhhh one where we
[00:12:18.97]
actually decompile an app, and
actually get something out of it
that's interesting. And then
[00:12:22.73]
finally device spoofing, pretty
much your man in the middle
attacks.Pretend to be a lock and
[00:12:27.80]
get the user to send me a
password so that way I can
unlock their device. To be able
[00:12:32.60]
to do this, you need to be able
to sniff first so we use the
ubertooth. So the way bluetooth
[00:12:36.93]
low energy actually works you
have 3 advertisement channels.
If I want to steal your password
[00:12:41.37]
on the first try, I need to be
able to sit on each of those
advertisement channels. SO I
[00:12:45.17]
need to have 3 uberteeth in this
case. Uhhh one setup on each
advertisement channel, so I know
[00:12:50.97]
I can actually get the
information. Obviously I'm
sniffing wireless so there's no
[00:12:54.57]
guarantee i'm gonna get it, but
atleast i'm increasing my
chances. Once I have all of that
[00:12:58.67]
information I can compile it all
into one file, I can filter out
all the duplicate stuff, and
[00:13:03.00]
then I can actually filter for
your password. Now that I have
your password, I need to be able
[00:13:07.17]
to send it somewhere. So what we
do is we use scapy, it actually
has some sockets built into it
[00:13:11.73]
which is pretty cool. I can bind
right to the bluetooth socket
and actually send commands to
[00:13:16.70]
the dongle, that actually go to
devices. So that's what,
actually that what we use, and I
[00:13:20.90]
built some commands we regularly
use into python so that we are
actually able to use them. So I
[00:13:25.83]
can connect, do read/write
commands, and I can do spoofing,
actually change my address and
[00:13:30.50]
my device name, all through
these sockets. Which is great.
So now that I have all of that
[00:13:35.03]
in place, I can actually start
attacking locks and that's what
we are gonna do now. SO uhh I
[00:13:41.93]
wanted to say this was the first
lock I actually broke, but turns
out it's not. I found out this
[00:13:46.77]
morning actually from my dad,
apparently like 15 years ago,
you now the remote that actually
[00:13:52.37]
block like TV channels on, uh,
on uh cable boxes. So I guess I
actually guessed his password 15
[00:13:57.37]
[00:13:59.43]
years ago and I started watching
inappropriate things [laughter]
so turns out that's actually the
[00:14:04.67]
first lock I broke. So I broke
into his remote and decided to
watch late night HBO, so this is
[00:14:09.93]
the second lock I ever broke.
[Laughter]. So this is the
quickset lock, and they had a
[00:14:14.87]
really interesting design
decision. So what they actually
do with this lock is they send
[00:14:18.03]
your password in plaintext. Uhhh
not only do they send your
password in plain text, they
[00:14:21.13]
send it twice, so they double it
up. Then they throw a OP code at
the beginning. So I thought to
[00:14:27.50]
myself why would they do this.
Turns out the do this because
you can actually change the
[00:14:33.03]
password by using the same
command with the same handle. So
that's actually what we're gonna
[00:14:37.30]
do. So right now this lock is
broken. So let's cross off this,
I can get into this lock. But I
[00:14:42.80]
want to do more than just break
into this lock. I want to be
able to take advantage of the
[00:14:46.83]
fact that I can actually change
that admin password. So umm I'm
going to change the admin
[00:14:51.10]
password now. So how do I do
that. So I take that OP code and
change it to 01, and I then I
[00:14:56.53]
set the password to be all
sixes. So you're thinking oh
cool you know, the admins now
[00:15:01.43]
locked out, the user is locked
out, they can't use the device.
Uh turns out the user can reset
[00:15:06.43]
[00:15:10.27]
the device without removing the
battery, so you have to remove
the battery from the device to
[00:15:14.40]
rest it. So guess what the
battery is actually behind a
panel that can't be removed
[00:15:20.23]
unless the lock is already open.
[Laughter]. So really they're
completely locked out of their
[00:15:27.13]
device, and since i'm doing this
outside the application, the
application doesn't actually
[00:15:31.27]
know what to do. So it actually
pleads with you, hey please help
me I don't know what to do, put
[00:15:36.60]
the right password. So I locked
the user out in both the
application and physically from
[00:15:41.70]
their device. SO thats pretty
cool. Ummmm really actually
really interesting story, I
[00:15:46.30]
found this device pretty
recently and I'll tell you a
story about it. So I went to a
[00:15:50.57]
car dealership recently and uhh
I actually had to get a oil
change for my car, and they told
[00:15:56.10]
me hey it's going to be like 2
hours, go have a seat. And i'm
like you told me 30mins on the
[00:16:01.70]
phone, what the fuck. So I
figure hey you know what, it's
not that big of a deal and they
[00:16:06.07]
are just like go have a seat. So
at this point i'm pretty pissed
cause they keep telling me to go
[00:16:10.00]
sit down and shut up, so I, I
walk away and I'm thinking to
myself: You know what fuck you
[00:16:15.20]
I'm going to start hacking your
shit. [Laughter] I start
scanning all the stuff they have
[00:16:21.40]
available and I'm seeing cars
pop up, people's iphones,
fitbits, couple of tiles, if you
[00:16:27.90]
know anything about tiles, so I
started actually to search and
sniff stuff cause I wanted
[00:16:32.97]
things to go off just to piss
them off. So uhhh I started
doing that and then this lock
[00:16:37.63]
popped up and I got really
excited, cause this is actually
that quicklock that we just
[00:16:42.33]
talked about, so 30 mins go by,
I'm waiting i'm waiting. It's
about the time I would be home
[00:16:48.57]
already at this point, and then
I get the guy's password. So
uhhh Im really excited at this
[00:16:51.97]
point. So let me show you his
password. Here it is, actually
let me zoom it in. [Laughter].
[00:16:56.97]
[00:17:04.13]
Yeah he set his password to be
69s, ummmm actu...um remember
i'm in a car dealership so the
[00:17:10.93]
guy looks like this. Uhhh so
think about a user he sets his
password, he thinks no one is
[00:17:16.43]
gonna guess it, but little does
he know i'm gonna sniff it in
plaintext and actually you know
[00:17:21.60]
I can see it. So uhhh yeah he is
a bit of a pervert i'm sorry.
[Laughs]. No I didn't break into
[00:17:26.50]
his lock, but atleast I have his
password, so that's kinda cool.
Uhhh since we are dealing with
[00:17:31.17]
plaintext passwords, we can
brute force them. You know with
me I feel that when all else
[00:17:36.73]
fails, brute force it. Uhhh but
in a lot of things that these
manufacturers do is they limit
[00:17:41.27]
those password space, so what I
found is that a lot of them use
minimal password spaces. So 8
[00:17:47.30]
digits in some cases, or 6
characters exactly. So those
password spaces are really easy
[00:17:52.70]
to brute force as they are
really small. Still it could
take a while, so you can use
[00:17:56.90]
word lists, obviously. You can
use 1s, 1 through 8, 69, phone
numbers, street address, or with
[00:18:01.90]
[00:18:04.50]
a wordlist with 6 characters
exactly word and use that to
brute force. All of that is on
[00:18:09.83]
github, you guys can check it
out at the end. Uhh if you break
into things, send me a message.
[00:18:13.33]
It will be pretty cool. So
here's a little demo of the
quicklock. Pretty simple little
[00:18:18.60]
lock actually. Umm you know you
have to click the button on it
actually to connect to it,
[00:18:22.83]
started sniffing it with
ubertooth. I actually get a pcap
file that I'll then put into a
[00:18:27.80]
script, that actually parses all
of the information and pulls out
the password for me, then sends
[00:18:33.97]
it to the lock. And I'm not
really a nice guy, so I decided
that I should also add in where
[00:18:39.80]
after I unlock the lock, I also
change your password. So you are
also locked out when I get break
[00:18:44.43]
into your house. So thats pretty
cool. Originally I wanted to do
a wireless demo, but everybody
[00:18:50.30]
here has bluetooth. It is
fucking crazy. If you do a quick
scan, there is a 1000 something
[00:18:56.60]
devices. And there is no way in
hell that I will actually be
able to sniff here, so I opted
[00:19:01.80]
to do videos here, so everybody
knows. Next actually some
companies opted to actually do
[00:19:08.03]
encryption. And you think oh
great they use encryption, their
websites advertise crazy things.
[00:19:13.27]
They advertise we are using
256bit AES encryption, the
military uses it so it's gotta
[00:19:18.80]
be great. So turns out they
don't actually use encryption
the way that it should be used.
[00:19:20.80]
So turns out that I just sniff
it, and then send it back to the
device, it opens. Which kinda
[00:19:24.53]
sucks for them, it's great for
me, but really sucks for these
companies. Uhhh even better than
[00:19:26.53]
that. All four these logs
actually have more in common
than just replay attacks. Uhhh
[00:19:28.53]
actually if I set my password to
be password, for example, and I
set it on one of these device,
[00:19:30.53]
it actually encrypts it exactly
the same way on all four of
them. And then they actually use
[00:19:34.57]
the same method of actually
opening up, as the other ones.
So turns out a lot of these
[00:19:40.13]
locks, they are sold on Amazon,
Newegg, couple of other
websites, and they go up 2 or 3
[00:19:45.33]
at a time and they pull them
off. So they end up using the
same code as the backend for all
[00:19:50.73]
of them, and they just keep
repackaging them as something
else. So uhh it makes it really
[00:19:52.73]
easy if you actually just sniff
it and replay it to open them.
Oh and by the way they are all
[00:19:56.93]
made by Chinese manufacturers.
I'm not bashing anything but
yeah, they all have stickers on
[00:20:01.93]
[00:20:04.20]
them written in Chinese. And the
manuals are actually written by
somebody who cannot speak
[00:20:07.80]
English. It's absolutely awful
to figure out how to set these
up. So these are broken, pretty
[00:20:12.80]
[00:20:26.27]
cool. Now next actually after
this one, is actually a
completely different thing. We
[00:20:30.83]
were looking for companies, that
actually use encryption, but
maybe developed their own sort
[00:20:36.13]
of encryption. SO we wanted to
see hey can we actually fuzz it,
if we fuzz a device can we get
[00:20:40.70]
it in an error state and what
happens when it's in that error
state. And that's actually where
[00:20:45.13]
we found this lock, okey dokey,
uhhh if you are familiar with
it, uhhh it's made of all
[00:20:49.97]
plastic. I don't know why you
use a plastic lock for your
house, uh cool. Hahaha. We've
[00:20:56.40]
actually went to their website,
and we were started looking at
how they claim their security.
[00:21:01.27]
So actually the interesting
parts to us was hey we developed
something that was similar to
[00:21:05.40]
AES encryption, we are like oh
cool, and they combine it with a
patented cryptographic solution.
[00:21:10.40]
[00:21:12.40]
So if you know anything about
Crypto, proprietary crypto is
not a good idea. Usually it
[00:21:17.87]
means it's it not tried and
tested, and there is usually
things you can take advantage
[00:21:21.80]
of. This is exactly what we did.
So we figured hey lets take a
look at this lock, what can we
[00:21:27.30]
find out about it? So we started
sniffing a bunch of things on
it, we started sniffing a bunch
[00:21:31.77]
of packets and we started
noticing the keys really weren't
that unique. Ummm you started
[00:21:36.87]
seeing patterns in them. So you
figure oh cool you know maybe I
will be able to fuzz it. So we
[00:21:41.93]
came up with this intricate
fuzzing script, you know we were
going to do one byte at a time,
[00:21:46.20]
it was going to come up with
combinations, it could take days
or weeks or months. Boy were we
[00:21:50.70]
wrong. Turns out it takes about
3 seconds. [Laughter]. Because
if I take the 3rd byte and I
[00:21:55.70]
[00:21:59.37]
change it to 0, the lock enters
an error state, not only does it
enter an error state, it opens.
[00:22:04.37]
[00:22:12.03]
[Laughter]. [Clapping].
Hahahaha. Oh it gets better.
Ummmm [laugher] it goes,
[00:22:18.33]
actually sends up a error
message in the application
saying the keys are out of sync.
[00:22:22.53]
So I started to think to myself,
why would this happen? Why would
the keys be out of sync?
[00:22:26.57]
Remember that patented crypto we
talked about earlier? Yeah it
might be some sort of XOR,
[00:22:32.13]
because they actually used a
previous key to generate future
keys, they are out of sync. So
[00:22:38.10]
yeah that wasn't really a good
idea. So uhh a very funny story
about them, we contacted them to
[00:22:43.40]
let them know they had some
problems with their lock, and
then they turn off their
[00:22:47.30]
website. [Laugher]. So uhhh I am
not claiming any responsibility
for anything, but yeah they
[00:22:52.30]
[00:22:54.83]
turned off their website after
we told them there is a issue.
You can still buy their stuff,
[00:22:59.03]
they are still selling it on
amazon, so you can go check it
out. But it may not be supported
[00:23:03.07]
much longer. And then there's
actually a video of it, pretty
cool. You use the application to
[00:23:07.83]
actually unlock it, you swipe it
and it unlocks. I sniff the
password that's current, and I
[00:23:14.40]
will take that, I will actually
run it through my script, where
it actually takes out the
[00:23:17.90]
password, turns that 3rd byte to
zero and then unlocks.....at
some point....and there it goes.
[00:23:22.90]
[00:23:34.83]
Hahahahaha [Clapping]. And then
this is where the user comes
back and they want to lock their
[00:23:40.10]
door, they want to unlock it or
whatever they want to do, and
guess what it doesn't work. That
[00:23:44.57]
kinda sucks. So...uhh so kinda
of a different thing to talk
about. The thing about android
[00:23:51.47]
applications you can actually
pull off those applications in
apk format. You can actually
[00:23:56.17]
decompile them, actually into
readable code. Umm so I actually
like to use this bytecode
[00:24:01.70]
viewer, it allows you to view it
in a bunch of different ways and
actually view what they coded as
[00:24:08.03]
if it's readable. That's what I
did for this lock, the Dena
lock, I actually broke this lock
[00:24:13.17]
down into readable code, to
actually see what they put in
there. Turns out they had this
[00:24:18.57]
hardcoded password in there.
[Laughter]. Umm yeah you think
this password is cool, guess
[00:24:23.50]
what. They don't just put this
password in there, this is on
every device. They actually
[00:24:27.60]
store your password also, so my
password in this case is
password. So they actually XOR
[00:24:32.93]
that with this super secret
password they have, and then
store it in this table. So
[00:24:38.20]
actually every user's password
is stored in this table and
actually I know the method they
[00:24:42.83]
use to store these passwords.
Uhh I haven't had a chance to
actually break this lock, im
[00:24:47.47]
pretty sure that's what this is
used for, but I am not a 100
percent sure. I want to go back
[00:24:51.33]
and actually do it, but I
haven't a chance. So its kinda,
kinda pawned since I haven't
[00:24:55.80]
really broken into it yet, but I
kinda have all the tools to do
that. A big thing a lot of
[00:25:01.73]
companies are moving towards is
like a web server backend. That
way you can't pull password from
[00:25:06.37]
actual applications. So what
they do is store on a web server
and you ping that server with
[00:25:11.00]
some sort of value, they encrypt
it and send it back. This is
great because a lot of the
[00:25:16.13]
companies are using a it, its a
lot more secure. However if you
fake the device, you can
[00:25:21.33]
actually trick the user to send
you the password. So we actually
take the device, we impersonate
[00:25:26.97]
it, and we trick the user into
giving us a password. To do that
it doesn't take a lot of
[00:25:31.27]
equipment: a raspberry pi, maybe
a laptop. You need something to
run bluez, that bluetooth stack.
[00:25:37.47]
You need something to actually
to build the GAT server on your
device. So bleno is a great
[00:25:42.37]
program, um I saw some of the
other talks talk about Bleno,
with the man in the middle
[00:25:47.33]
attacks. Then you actually need
something to pull services off
devices. And I like lightblue
[00:25:52.73]
explorer great program that you
can run on your phone. The
reason that I Like it is, now
[00:25:56.63]
when you walk around with a
phone no one looks at you funny,
but when you walk around with a
[00:26:00.20]
laptop everybody gives you a
really really nasty look. Its
great to use on your phone cause
[00:26:05.27]
no one looks at your twice. And
this is very mobile, if you set
it up on a raspberry pi, you can
[00:26:10.60]
really set it up anywhere. And
its somewhat undetectable. And I
say that if these applications
[00:26:15.67]
are running in the background,
the user has no idea they are
connecting to you and giving you
[00:26:20.27]
a password. The web servers
might know. So that's kinda
where its somewhat. However most
[00:26:25.13]
of these web servers don't give
a shit. You can ping them a 1000
times and they will give you a
[00:26:29.10]
1000 password. And you can build
a whole table of passwords from
this. and guess what these
[00:26:33.13]
servers don't care, cause they
actually think you are the right
person. So I keep getting
[00:26:37.00]
passwords and I can do whatever
I want with them. And we found
actually one of the devices we
[00:26:40.80]
are going to talk about in a
second: bitlock. If you are
familiar with this lock, it's
[00:26:44.10]
actually a padlock they use for
bike sharing. They are ;pretty
widely used, they are in like 20
[00:26:48.60]
different countries. Uhh all
over the United states as well.
And that's what we will actually
[00:26:53.17]
be looking at, because they
actually use a nuance value that
they send, and we actually found
[00:26:58.27]
a way to predict what the next
nuance value is gonna be. And I
will show you that here. So this
[00:27:02.87]
is actually how we break into
the lock. We connect to the
bitlock first, we actually scan
[00:27:09.63]
for all of those attributes, all
the primary services, the
characteristics, and we build a
[00:27:13.70]
copy of the server in the bleno.
And there's all the attributes
right there. So I connect to the
[00:27:20.13]
lock, uhh I set, I actually get
a nuance value, and I send an
invalid password. Doesn't matter
[00:27:26.07]
what I send cause I just want to
know what it's gonna do next.
Next it actually increments it
[00:27:31.40]
by 1, and the reason why it does
that, that's actually the method
it uses actually generate a
[00:27:36.13]
random value. That random
nuances is actually only
incrementing. And that's it.
[00:27:40.50]
That's all they do. So I
actually have every value from
this point on, because they are
[00:27:45.00]
just going to increment it every
other time. So I am done with
them, I have everything I need.
[00:27:49.30]
I just need a user. So I wait
for them to park their bike,
they lock it up, they go
[00:27:53.33]
somewhere. Then I setup my
device to connect to it. I
actually send them that value,
[00:27:59.50]
that n + 2 value that I was
talking about. They send it to
their web server, they encrypt
[00:28:04.60]
it, send it to me. And now I
have their password. Pretty easy
process. And that's all because
[00:28:11.20]
of that nuance. Now I go back to
that bitlock. And here's the
best part of all of it, this
[00:28:16.00]
value I'm talking about, it
doesn't matter what I set it to.
So I can get n + 10, I can get n
[00:28:21.30]
+ 100, I can get n + 1000, I can
build an entire table of
password. Because they are only
[00:28:25.93]
incrementing that value and I
know how to force the bitlock
how to increment. So now I go
[00:28:30.60]
back to the bitlock, whatever
value I'm at, I force it to
increment, so I connect to it.
[00:28:36.00]
It sends me this random value I
would never guess, I send the
encrypted version to it and
[00:28:41.43]
guess what it opens. [Laughter]
[Clapping]. So now I have their
bike, I'm riding around on it.
[00:28:46.43]
[00:28:54.33]
Hahaha. So this is pretty
deployable, pretty easy to use
because, you want to
[00:28:58.77]
look..really your targets for
this really is high traffic
areas. So you want to look for
[00:29:03.27]
like coffee shops. Because
hipsters like bikes. [Laughing].
So if you find a coffee shop,
[00:29:08.13]
there is probably someone using
one of these locks nearby. Or
you can look for a universities,
[00:29:12.60]
because some of the universities
want their students to use bikes
and guess what we found one that
[00:29:18.67]
uses this. Ummm I'm not gonna
tell you what university, but
when you open up the application
[00:29:23.57]
there is a very cool feature
built into it. So you can
actually look at any bike share
[00:29:29.73]
program that's out there,
without actually being
subscribed to their bike sharing
[00:29:33.60]
program. So I travelled to this
university and I could actually
find where all of their bikes
[00:29:39.23]
are actually located. I just
have to go to one of those
locations. So I go to one of
[00:29:43.63]
those locations and look there
is a bike, and then I get out my
phone and I start scanning,
[00:29:49.53]
because guess what I have my
phone out and nobody thinks
twice. I curse a couple of
[00:29:53.43]
times, I kick the bike and
everyone just thinks I'm stupid
and cant open the lock. But I
[00:29:58.37]
have all the information I need
right now, so I go sit at a park
bench nearby and I start
[00:30:03.53]
entering all the information I
got collected with light blue.
So I take that information and
[00:30:09.37]
actually put it into bleno so
actually have the device name
now and I have the nuance value.
[00:30:14.67]
And then I start advertising.
And I wait for a user to come by
and connect to me and Ill get
[00:30:19.47]
their password. well there
happens to be one problem,if you
know anything about college
[00:30:24.70]
students they don't like to hang
around during the summer and
that's when I decided to
[00:30:28.20]
actually go there. So there was
nobody around. So yeah that was
a little upsetting. But I do
[00:30:34.50]
plan on going back during the
fall, when I actually know
there's people around to test
[00:30:37.90]
this at again. At Least so I can
get password. Im not gonna steal
any bikes I promise I won't.
[00:30:42.67]
Uhhh but if you guys do it has
no bearing on me. So whatever
you want to do. Uhh cool thing
[00:30:47.67]
[00:30:50.10]
you can actually do, actually to
take advantage of things you can
actually do like a relay attack
[00:30:55.03]
with this. And the reason why we
thought of this because we
contacted bitlocker originally.
[00:30:59.53]
And we told them hey, you might
want to change your value that
you're sending out because guess
[00:31:04.77]
what it's just incrementing and
I can predict that. So they came
back and said hey we will fix
[00:31:10.13]
it, that was 3 months ago and
it's still not fixed, but maybe
they will get to it eventually.
[00:31:15.73]
But a lot of the other locks
that we can't break into
actually use a similar process.
[00:31:20.37]
So we figure hey let's take
advantage of this, and see if we
can do a attack like this on
[00:31:24.27]
other locks that we couldn't
break. So that's where this
attack actually came in, so what
[00:31:28.70]
I do is I stand near the lock,
with a device. And the lock
sends me a nuance value, I take
[00:31:35.27]
that value and I send it to
another device that's sitting
near the user. I use cellular
[00:31:39.33]
wifi or something to send that
information. This device is like
taped underneath their car,
[00:31:43.80]
whatever high tech method you
want to use. But as long as it's
near them it doesn't really
[00:31:47.10]
matter, because I'm going to
send that value to them and they
are going to get it encrypted
[00:31:50.80]
for me and send it back to me.
All because this app is running
in the background, and this is
[00:31:55.23]
really the big problem. Because
these apps are constantly
running for user convenience.
[00:32:01.03]
And since they're focusing on
convenience and not security I'm
gonna take advantage of that. So
[00:32:05.97]
they send that password back to
me while i'm standing at the
lock and I open it. And this is
[00:32:10.27]
all done in realtime really
quickly. And this is actually
what we want to develop next,
[00:32:13.70]
this is kinda our next project
we want to work on. To be able
to do this. And you are probably
[00:32:18.47]
thinking how do I find these
rogue devices, well actually
sadly uhmmm, if you saw the blue
[00:32:24.37]
hydra talk, they actually did
something similar to us. So this
is another kinda one of those
[00:32:28.43]
programs. But its bluefinder,
it's just a program we built,
allows to track devices. SO what
[00:32:34.13]
we did we actually tested a
range of device and actually um
found out what their signal
[00:32:40.03]
strength was at a meter, and
then we actually built a model
behind that to actually track
[00:32:45.40]
devices. And we actually we have
a pretty good error rate on
that, 24%, so we within 3 meters
[00:32:50.33]
I can find where your device is
and uhh here's actually a graph
of it. If you take that ud100
[00:32:56.10]
device, hookup a high gain
antenna to it, I can actually
track your device up to about
[00:33:00.67]
700 meters, or almost a half
mile. so I can follow you pretty
well with a pretty good idea
[00:33:06.20]
which direction it is, because
these antennas are directional.
So I Can be like oh yeah he's
[00:33:10.57]
actually that way about 600
meters away. So let me actually
give you a demo of this, this is
[00:33:14.97]
actually me tracking a target,
i'm sitting in my home, just
relaxing, tracking a target. Umm
[00:33:19.97]
[00:33:30.60]
[laughter]. [Clapping]. So my
very high tech method was taking
a fitbit and duct taking it to
[00:33:34.43]
my child, [laughter]. Yeah my
wife wasn't very thrilled about
this one. You think that table
[00:33:39.43]
[00:33:42.70]
was bad, this was worse. So yeah
you can track targets very far
with that kind of equipment,
[00:33:47.80]
that's really the point. Ummm
and really overall the thing we
really wanted to make clear was
[00:33:53.93]
that vendors overall just did
not prioritize the right thing.
They were prioritizing physical
[00:33:59.70]
security over wireless security.
Umm obviously there is
exceptions, quickset decided
[00:34:04.97]
that a screwdriver could be a
second key, umm probably not the
best design decision, but
[00:34:10.20]
overall um we evaluate a lot of
devices. And we found that 12
out of 16 of them were broken.
[00:34:15.20]
[00:34:17.70]
Umm and that's a very high
number, I went into this
thinking hey maybe i'll find one
[00:34:21.67]
or two devices that are broken,
no I found 12. So overall
they're pretty , pretty bad. And
[00:34:27.10]
umm I really wanted vendors to
know that there's a problem so
that we can actually fix it. And
[00:34:32.00]
then finally we wanted to put
out a recommendation to users,
what we wanted to tell you guys
[00:34:37.13]
hey, turn off your bluetooth
when it's not in use, uhh
specially here at defcon. Please
[00:34:41.50]
turn off your bluetooth. Uhh
because people are walking
around and I'm like Gary's
[00:34:46.37]
iPhone. Hi Gary, I'm gonna
connect to your stuff now. Ummm
so turn it off when it's not in
[00:34:51.90]
use. Because that's why that
relay attack works, its because
your constantly advertising and
[00:34:57.17]
looking for these devices and
that's how I take advantage of
it. Umm so some of the big
[00:35:01.67]
future work we want to work on.
I found a really surprising
thing with history logs. So
[00:35:07.00]
people are, a lot of these lock
companies build history logs
into their devices, which is
[00:35:11.17]
great. But they didn't hid it
behind a password. So I can
actually connected to your
[00:35:15.67]
device and see everything about
your lock. And it even gets
better, they are actually
[00:35:20.37]
storing usernames and passwords.
So let's think of a hypothetical
situation where we have users:
[00:35:26.50]
Mom, Dad, Jimmy and Sally. And
we have time stamps associated
with when they come home and
[00:35:31.17]
when they leave. So now I know
when mom and dad are home, I
know when Jimmy and Sally are
[00:35:35.27]
home, I know when they are not
home. SO when I'm a bad person I
can take advantage of this. And
[00:35:40.20]
really we want to put some
pressure onto vendors so that
way they would fix this problem.
[00:35:44.07]
Next uhhh using rogue devices,
do a dynamic profile. I want to
advertise 20 different
[00:35:46.07]
advertisements packets, so I can
connect, so I can advertise 20
different devices, so that way
[00:35:48.07]
when somebody connects to me, I
server my GAT server to match
whatever they are looking for.
[00:35:50.17]
So that way I can steal your
password. Next there's a lot
more commands out on those GAT
[00:35:52.17]
servers we want to implement
into python. Umm more than just
the connect read and write. And
[00:35:54.97]
[00:36:09.27]
then finally I'm most excited
for this, we bought one of those
bluetooth ATM lock and we are
[00:36:14.47]
actually going to tear it apart
and see if we can break into it.
If these things, these locks are
[00:36:19.43]
no indication already, it should
be pretty easy. But I'm hoping
its better than we think it is.
[00:36:25.10]
That's really it. I wanted to
uhh open up the floor for some
questions, so if you have any
[00:36:29.00]
questions come up to the
microphone and hopefully I can
answer them. thank you.
[00:36:34.00]
[00:36:39.63]
[Clapping] [Clapping] Yup?
>>Question: Hello. First thanks
for looking into this hell of a
[00:36:46.10]
lot of devices. Really
interesting. I did some similar
research and I want to add on
[00:36:51.07]
your two unbreakable first ones,
because I looked into 3 devices
and broke 3 of them. And 2 of
[00:36:57.30]
them being the Noke and the
masterlock. So uhh I'm not
disclosing too much right now,
[00:37:03.07]
because Noke actually responded
to my request and they are
fixing it. But just so much they
[00:37:08.53]
have AES, but they are doing it
wrong, so I broke their AES
crypto. And the masterlock has a
[00:37:14.70]
physical bypass. So I will talk
about that if I realise it to
them. And the third one was
[00:37:21.33]
shammable, Oh my God. But thanks
for your work and possibly
exchange contacts later. >>Ahhh
[00:37:26.87]
yeah that's awesome. Umm come
grab me afterwards I would love
to talk to you, because there's
[00:37:31.37]
always so many devices out there
that I haven't had a chance to
break and always cool ways to do
[00:37:35.23]
it, so thank you. >>Question:
You talked earlier about an
Insteon talk that would be
[00:37:40.37]
happening later, what are the
details on that? >>Yeah that's
actually in the wireless
[00:37:43.53]
village, my friend Kallub is
actually going to be giving that
up in the wireless village at
[00:37:47.70]
12:20 I think. Somewhere around
there? >>12:20 at the wireless
village, because uhh about
[00:37:52.77]
Insteon door locks or? >Its
about Insteon devices overall,
so it's mostly focusing on I
[00:37:57.60]
think the lights, the camera and
the hub. So go check it out it
will be really cool. >> Thank
[00:38:03.17]
you. Great talk by the way. >>
Thank You >> Question: These
locks that you were taking
[00:38:08.20]
apart, you said they were
emphasizing physical security.
Did you notice any tamper
[00:38:12.60]
detection in the firmware at
all? >> I did not notice any,
but I wasn't actually
[00:38:17.10]
specifically looking for it. Umm
but I mean all the locks that I
used, at least 50...um
[00:38:22.53]
wirelessly the ones I sent
commands to, really a lot of
them didn't care what I was
[00:38:27.30]
sending because they thought I
was the device. So.. >> So what
I'm talking about is actually
[00:38:31.17]
something where, where there's
something in the firmware or a
switch, determines a case was
[00:38:34.90]
opened or something that was
being tampered with. >> I
haven't looked for that, thats
[00:38:38.47]
actually a very fascinating
thing I could look into, so I
will have to check that out. >>
[00:38:43.00]
Check, please do. >> Thank you
>> Question: Yeah thanks, great
talk. Question, ummm so do you
[00:38:49.33]
think the time dependent in the
rolling code of like what we use
in the payment system will solve
[00:38:54.60]
some of the security issue you
mentioned? >> Um you talk about
a rolling code? >> Yeah time
[00:39:00.83]
dependent, only code you see
like in a payment system. >>
Yeah I think that helps the
[00:39:04.33]
situation but if I do a really
attack over long distance it
wouldn't matter, because i'm
[00:39:09.23]
pretty much convincing the user
to send me a password and then I
really it over to the lock in
[00:39:13.63]
realtime. So really what they
need to do is obviously
geolocation they can help with,
[00:39:19.07]
not allowing these apps to run
continuously is a big deal. So
there's a lot, there's a
[00:39:23.47]
combination of things they
actually need to implement to
actually prevent these things
[00:39:27.23]
from being vulnerable. So uhh so
thats a big part of it though.
Gotcha. >> Yeah thanks. >> Thank
[00:39:34.13]
you. >> Question: Hi um
regarding the uncrackable locks,
you showed at the beginning. Why
[00:39:38.10]
were you not able the kwikset
kevo or the august lock
electronically? >>So part of its
[00:39:44.23]
time. So I started finding
vulnerabilities in other locks
and dedicated more time to those
[00:39:48.70]
ones, and some of them I just
haven't come up with creative
ways to do it yet. I know other
[00:39:51.00]
people have done things and I am
very fascinated by learning what
they are, but yeah currently at
[00:39:53.00]
least the methods I was using
they weren't able to break them
yet. I think the relay method at
[00:39:55.00]
least should be able to break
some of those locks, but I just
need to test it out this point.
[00:40:00.00]
[00:40:09.87]
>> Awesome, awesome talk. >>
Thanks >> Questions: Yeah great
talk thanks. That was actually
[00:40:13.93]
my questions as well, but as a
follow up: have you looked at
realtors, the tool they are
[00:40:18.57]
using now to uhhh..so I just
recently purchased a house, the
realtor goes up and the little
[00:40:23.57]
door lock they put, that's all
bluetooth now. >> Uhh thats
awesome. >> Yeah so they put in
[00:40:28.10]
a code and it spits out the
actually the physical key to the
house. So you might want to.. >>
[00:40:31.93]
Im going to have to buy one of
those, thats, that thats
awesome. >> Yeah thanks, great
[00:40:35.90]
talk. >Thank you. >> Question:
Great talk. I wanted to ask you
if you have looked into also
[00:40:41.40]
medical devices? After all if
someone want to break into your
house, he can do it the old
[00:40:45.50]
fashion way, but with a body
it's more difficult. >> So
originally I wanted to focus on
[00:40:50.37]
medical devices, specifically
pacemakers and insulin pumps.
Uhhh so I am a student
[00:40:56.63]
currently,and all my fellow
students looked at me like I was
crazy. And they are like you are
[00:41:00.70]
going to kill somebody, and I
was like that's not the point. I
want to test devices and look
[00:41:05.13]
for issues, but really what it
comes down to, is getting hold
of these devices is really
[00:41:09.83]
difficult. But I want to do
that, I actually want to look
into these devices, but finding
[00:41:14.93]
them short of buying them off a
dead body i'm not really gonna
get one. Hahaha. >> Thanks
[00:41:21.73]
Great. >> Thanks >> Question: So
one of the things that allows
these attacks to work is that
[00:41:26.57]
your are able to sniff this
plain text traffic off of the
radio waves I guess. Ummm does
[00:41:33.13]
BLE offer any option for
encrypted communication other
than implementing it yourself?
[00:41:39.00]
>> Umm so they actually have a
link layer encryption in 4.1,
ummm but if you have ever, if
[00:41:44.43]
you have looked into Mike Ryan's
work: he actually breaks that.
Um they actually have a, it's
[00:41:48.53]
very vulnerable. So they
actually developed a new
protocol, 4.2, that actually
[00:41:52.70]
implements link layer encryption
that actually works better, but
what we found is that most
[00:41:57.40]
devices don't use it. It's not
very common. So umm obviously if
they could use the link layer
[00:42:02.53]
encryption in the protocol, on
top of a app layer encryption
that would be more ideal. That
[00:42:07.30]
might deter some people. So
hopefully that's what we see in
the future. >> Cool thank you.
[00:42:12.57]
>> Thanks. Ummm I think I'm out
of time, so thank you guys,
thank you very much. [Clapping]
[00:42:15.80]